PCI Compliance
What is PCI?
The Payment Card Industry Security Standard Council was set up in 2006 by the major credit card companies, namely Visa, Mastercard, American Express, JCB, and Discover Financial Services.
PCI-DSS
The Payment Card Industry Data Security Standard (PCI-DSS) was established to regulate and improve the handling of sensitive credit card information. Every year in the UK alone it is estimated that credit card fraud costs the industry in excess of £450 million.
Problems for business:
Cost - obtaining compliance for your call centre can be expensive, including system upgrades, regular external audits, and dedicating staff resource to the project on a permanent basis.
Time - a significant time investment is required to project manage, review, and then implement the requirements of the PCI data security standard. Businesses need to make a commitment for the long term.
The PCI Data Security Standard is made up of 12 top level requirements:
|
Build and maintain a secure network
|
1. Install and maintain a firewall configuration to protect cardholder data
|
|
2. Do not use vendor-supplied defaults for system passwords and other security parametres
|
|
Protect Cardholder Data
|
3. Protect stored cardholder data
|
|
4. Encrypt transmission of cardholder data across open, public networks
|
|
Maintain a Vulnerability Management Program
|
5. Use and regularly update anti-virus software or programs
|
|
6. Develop and maintain secure systems and applications
|
|
Implement Strong Access Control Measures
|
7. Restrict access to cardholder data by business need to know
|
|
8. Assign a unique ID to each person with computer access
|
|
9. Restrict physical access to cardholder data
|
|
Regularly Monitor and Test Networks
|
10. Track and monitor all access to network resources and cardholder data
|
|
11. Regularly test security systems and processes
|
|
Maintain an Information Security Policy
|
12. Maintain a policy that addresses information security for all personnel
|
Contact centres come under particular focus as a business area where fraudulent activity is higher than average. The exposure to call centre agents of credit card data is high and the requirements for the typical call centre operation to adhere to PCI compliance are extensive.
What’s the risk?
The risk to businesses handling sensitive cardholder data is great, both in terms of potential financial loss and brand image. The major card companies have indicated that fines that can be as high as $500,000 for a total breach of sensitive cardholder data, with lesser fines for general non-compliance to PCI standards. Of course, the financial ramifications may pale by comparison to the negative effects to a major brand, with a loss of trust from consumers towards businesses with well publicised breaches.
Becoming compliant
Becoming PCI compliant is an expensive, time consuming, and ever-evolving process. It involves invasive processes, interrogating infrastructure and personnel at every level. For the contact centre, the proble
ms range from the operational difficulties of clean room environments, to the technical difficulties of data encryption, deletion, and storage management.
What is the solution?
The solution is PCI-PAL.
PCI-PAL allows contact centres to de-scope the PCI risk, preventing sensitive cardholder data from entering their network, but allowing agents to take card payments over the phone through operationally sound methods. The agent remains in conversation with the caller at all times, ensuring a neat and secure process for the customer and the contact centre.